Ukrainian crisis continues, with attendant risk of hybrid warfare. MoonBounce malware in the wild. Pirate radio hacks a number station.
Dave Bittner: U.S. and Russian talks over Ukraine conclude with an agreement to further exchanges next week. Western governments continue to recommend vigilance against the threat of Russian cyberattacks against critical infrastructure. The U.S. Treasury Department sanctions four Ukrainian nationals for their work on behalf of Russia's FSB and its influence operations. A firmware bootkit is discovered in the wild. Security turnover at Twitter. Kayla Barlow looks at Wi-Fi hygiene. Our guest is Allan Liska on his latest ransomware book, and a number station gets hacked in style.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Friday, January 21, 2022. Both sides of the dispute over Russian in preparation for hybrid warfare against Ukraine bring firm lines with them to the talks now underway in Geneva, where U.S. Secretary of State Blinken is meeting Russian Foreign Minister Lavrov. The Guardian reports that Secretary Blinken told his counterpart that the U.S. would reply formally to Russian proposals - that is the soft ultimatum issued last week - sometime next week but that certain NATO positions, in particular the right to offer membership to Ukraine and other countries, were not up for negotiation. The secretary also said that the U.S. was open to a summit between Presidents Biden and Putin. Secretary Blinken summarized the U.S. position, which he took care to point out was also the NATO position.
(SOUNDBITE OF ARCHIVED RECORDING)
Antony Blinken: The discussion today with Mr. Lavrov was frank and substantive. I conveyed the position of the United States and our European allies and partners that we stand firmly with Ukraine in support of its sovereignty and territorial integrity. We've been clear if any Russian military forces move across Ukraine's border, that's a renewed invasion. It will be met with swift, severe and a united response from the United States and our partners and allies.
Dave Bittner: Those remarks are courtesy of C-SPAN.
Dave Bittner: The Wall Street Journal sees last week's cyberattacks against Ukrainian targets as pointing to a broader risk of more general cyberwar. WhisperGate was, like NotPetya a few years ago, a pseudo-ransomware attack that delivered a wiper behind defacements and spurious ransom demands. It was, however, less sophisticated than its predecessor. And in particular, it lacked the self-propagating worm features that made NotPetya a general danger. In any case, governments in the civilized world continue to take the threat of Russian cyberwar seriously. Canada's Communications Security Establishment Wednesday warned critical infrastructure operators, quote, "to bolster their awareness of and protection against Russian state-sponsored cyberthreats," end quote. The CSE cites earlier warnings by Britain's National Security Centre and the U.S. Cybersecurity and Infrastructure Security Agency. Indeed, the specific recommendations all three organizations offer track one another closely.
Dave Bittner: Ukraine has asked another one of the Five Eyes, Australia, for technical assistance to help defend it against cyberattack, the ABC reports. And Australia has said that it stands in solidarity with NATO in support of Ukrainian security.
Dave Bittner: Security firm Mandiant has outlined the form it expects Russian cyber operations to assume. Quote, "Russia and its allies will conduct cyber-espionage, information operations and disruptive cyberattacks during this crisis. Though cyber-espionage is already a regular facet of global activity, as the situation deteriorates, we are likely to see more aggressive information operations and disruptive cyberattacks within and outside of Ukraine," end quote. Russia's allies in this case are Belarus and the occupied Ukrainian provinces in Crimea and the Donbass. The company thinks that both information operations and cyberattacks proper are a high risk. Quote, "cybercapabilities are a means for states to compete for political, economic and military advantage without the violence and irreversible damage that is likely to escalate to open conflict. While information operations and cyberattacks such as the 2016 U.S. election operations and the NotPetya incident can have serious political and economic consequences, Russia may favor them because they can reasonably expect that these operations will not lead to a major escalation in conflict," end quote.
Dave Bittner: The U.S. Treasury Department yesterday announced that it was bringing sanctions against four individuals for their role in advancing Russia's influence operations with the objective of destabilizing Ukraine. Treasury explained its rationale as follows.
Dave Bittner: Quote, "today's action is intended to target, undermine and expose Russia's ongoing destabilization effort in Ukraine. This action is separate and distinct from the broad range of high-impact measures the United States and its allies and partners are prepared to impose in order to inflict significant costs on the Russian economy and financial system if it were to further invade Ukraine. The individuals designated today act at the direction of the Russian Federal Security Service, the FSB, an intelligence service sanctioned by the United States, and support Russia-directed influence operations against the United States and its allies and partners," end quote.
Dave Bittner: The individuals sanctioned include two members of Ukraine's parliament and a former deputy secretary of the Ukrainian National Security and Defense Council. The connection with the FSB is important since that Russian agency is itself under sanction.
Dave Bittner: Researchers at security firm Kaspersky report finding the third known firmware bootkit, MoonBounce, in the wild. Implanted in UEFI firmware, MoonBounce is, Kaspersky says, not only sophisticated, but difficult to detect and remove.
Dave Bittner: The researchers attribute the activity, with high confidence, to APT41, a Chinese threat group also known as Barium, Winnti and Wicked Panda. APT41 carries out state-directed espionage, but there's also good reason to think it runs an APT side hustle as well, engaging as it does in financially motivated cybercrime. The U.S. FBI has had five members of APT41 on its wanted list since 2019.
Dave Bittner: Forensic News reports that U.S. officials are concerned that the Russian company Infotecs has maintained a business presence in the U.S. despite its place on the Commerce Department's Entity List.
Dave Bittner: Twitter has purged its security team, The New York Times reports. The social platform's new CEO, Parag Agrawal, let Mudge, the company's head of security, go this week, and Twitter's CISO, Rinki Sethi, is also departing. They're both likely to land somewhere else soon.
Dave Bittner: CISA issued four industrial control system advisories yesterday. Such advisories are always worth a look, and especially right now with the civilized world very much on the alert for cyberattacks against critical infrastructure.
Dave Bittner: And, hey, everybody. Let's think a little about spycraft, electronic warfare and popular music. Some pirate radio station has hacked into the Russian numbers station UVB-76, a Cold War relic still active that for decades has broadcast numbers and beeps in support of espionage operations. It's on the shortwave, and it sounds like this, with some Tatiana (ph) or Katarina (ph) reading off a corny bunch of numbers, totally in Russian, like this.
(SOUNDBITE OF ARCHIVED RECORDING)
UNIDENTIFIED PERSON: (Speaking Russian).
Dave Bittner: So, of course, the pirates also put up a bunch of predictable internet-inspired memes, which when you think about it is really OK in its own way, too, because the noise they put up through their SDR drew a troll face when you ran it through the spectrum analyzer. But Vice says the hackers also chose to replace some of the dull beep and number feed with "Gangnam Style"
(SOUNDBITE OF SONG, "GANGNAM STYLE")
PSY: (Singing) Oppa Gangnam Style. Gangnam Style.
Dave Bittner: So props to the pirates for acting like a bunch of internet delinquents and K-pop hotheads. As an exercise in jamming, it's pretty good, like the way the opposing force at the National Training Center used to jam the blue force tactical nets with "California Dreamin'" - because nothing says a Guards Motorized Rifle Division is on the move into your AO better than The Mamas & The Papas.
Dave Bittner: So well done, pirates - not actually that we approve of this sort of thing. But on the other hand, you've got to admire their style, especially when it's "Gangnam Style."
Dave Bittner: Allan Liska is a threat intelligence analyst at Recorded Future and author of the new book "Ransomware: Understand. Prevent. Recover." I spoke with Allan Liska over on the "Recorded Future" podcast about the book, and we've got an excerpt from that conversation here.
(SOUNDBITE OF PODCAST, "RECORDED FUTURE")
Allan Liska: I co-authored a book with Tim Gallo back in 2016. And the ransomware kind of market has changed a lot since 2016, and ransomware attacks have changed dramatically. Some of the defenses that are needed have changed. Two really big things are big game hunting - so instead of - you know, when I wrote in 2016 - or when we wrote in 2016, ransomware was single machine, encrypt that machine, and then you're done. It was still a big problem for organizations because they were getting hit a lot. You know, so those single machines kind of added up, whereas today, it's encrypting thousands of machines at the same time. And, of course, with that comes a much more hefty ransom involved. And then there's also the idea of that extra extortion, the double and triple extortion, of leaking files, which wasn't the case.
Allan Liska: And, you know, and I'll also throw in ransomware as a service has made it a lot easier for anybody to kind of get into the ransomware game, whereas in 2016, you had to have some level of technical skills - not much, but you had to have some. Now, really, there's handbooks. There's guides that are available. You know, ransomware actors brag about how easy their ransomware is to install once you get in the network. And so that really does make a big difference.
Dave Bittner: Yeah. It strikes me how much this vertical, I guess we could call it, has really professionalized itself - that, you know, it's not just, you know, the kids in the, you know, in the AV club who are doing this. I mean, these are serious organizations.
Allan Liska: Right. Absolutely. I mean, you know, when we talk about the growth of ransomware, it's not just that ransomware itself has gotten bigger, but the ransomware inc., if you will, has gotten bigger and that, you know, now you have ransomware groups that hire professional negotiators. Well, not professional - they hire at least English-speaking negotiators. Let's say that. You know, they hire developers to build out their ransomware. They hire initial access brokers to gain that first footing, you know, and then buy the access from them. So there's this whole sort of set of cottage industries that have sprung up in support of ransomware, and part of that is just because ransomware makes so much money. Right now, outside of, possibly, business email compromise, ransomware is the most profitable, by far, cybercriminal activity.
Dave Bittner: So what has changed, then, in this updated book in terms of your recommended approaches for people to prevent this and deal with it if they do find themselves falling victim to it?
Allan Liska: You know, it's funny because some of the things just haven't changed. People just haven't started doing them yet. So, you know, some of the things like - you need better asset management, you need better vulnerability management, right? That's kind of - we've - you know, you've been doing this for a long time. I've been doing this for a long time. We've been saying that for 20-plus years. That still is - kind of needs to be done. Network segmentation - that was in the first book, and that's still highly recommended now, even more so with, you know, mass deployment of ransomware.
Allan Liska: Some of the things that are different, though - really focusing on improving your incident response and disaster recovery plans. So, you know, before, your incident response was on a single machine, right? So you could have kind of a loose-based incident response or a loose-based disaster recovery because you were only recovering for one thing. So if it wasn't fully up to date or whatever, it wasn't the end of the world.
Allan Liska: Now you need an updated incident response plan and disaster recovery plan because you need to take into account the fact that you're not down one machine, but you're down a thousand machines. And how are you going to respond? How are you going to get services back online? How are you going to prioritize that, especially when, once it happens, every other part of your organization is going to tell you that they need to be a top priority? So, you know, you need to have that in advance.
Allan Liska: Ransomware negotiators weren't a thing when we wrote the last book - so discussing when you need to hire a ransomware negotiator and, you know, if you're going to have to pay the ransom, why it's so important to have a good ransomware negotiator in there instead of trying to do it yourself.
Allan Liska: Double, triple, quadruple extortion wasn't a thing - how to prepare for that, how to handle the fact that you're going to have a whole lot of bad news coming your way, possibly for weeks or months at a time depending on, you know, whether you pay the ransom and how long the ransomware actor kind of strings out the release of files.
Allan Liska: And then, you know, really, there's a whole chapter dedicated to protecting your domain controller because that wasn't as big a deal. When they're landing on a single machine, not as big of a deal to have to worry about them getting credentials and getting to the domain controller. But now that's kind of critical to any ransomware operation, so it has to be critical to any ransomware defense.
Dave Bittner: That's Allan Liska from Recorded Future. The book is "Ransomware: Understand. Prevent. Recover." You can hear my complete interview with Allan on the "Recorded Future" podcast.
Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects, where you get access to this and many more extended interviews.
Dave Bittner: And I'm pleased to be joined once again by Caleb Barlow. Caleb, it is always great to have you back on the show. You know, we just went through the holiday season, and that means lots of folks have gotten lots of new devices that they are hooking up to their home networks. And for most people, I'm sure that means Wi-Fi. What are some of the things we need to look out for as we're connecting these newly purchased devices?
Caleb Barlow: Dave, did you get anything for Christmas besides coal?
Dave Bittner: (Laughter).
Caleb Barlow: Did you get those cool Apple or Google devices you were after?
Dave Bittner: You know, I got some N95 masks. I got a new toothbrush.
Caleb Barlow: You've been a bad boy, Dave.
Dave Bittner: It's - it was - we called it the loosey-goosey Christmas this year. So, you know what? I cannot say that I got any fancy electronic devices this year, no.
Caleb Barlow: Well, I know you have kids of similar age to mine.
Dave Bittner: Yes. They did (laughter).
Caleb Barlow: And if your home network is anything like mine, it's totally out of control in COVID time. So, like, every kid in the neighborhood is connected to my network, every visitor and every device. And I swear if a 14-year-old shows up at my house, they've got a watch, they've got a phone, they've got four other devices. And they need Wi-Fi when they come to the door because it's more important than food, you know. But the bigger problem is many of these things, old appliances, friends that aren't friends anymore, they are still connected to your network, right? And this includes everything from my Sub Zero refrigerator is connected to my network. Why, I don't completely understand.
Dave Bittner: (Laughter).
Caleb Barlow: Well, if you leave the door open, it sends you an alert, which is kind of cool, right?
Dave Bittner: OK. That's useful.
Caleb Barlow: The alarm system lighting, who knows what else. But the problem here is you don't know the inventory of what's connected in your house. And more importantly, you don't have any idea of what's old, unpatched, no longer needed. So let's talk about a way to clean this up, Dave. OK. So this kind of fits into New Year's resolutions, right up there with change the batteries on your fire alarm. I want everybody to go out and change the name of your home Wi-Fi network because this is the easiest way to root out all the devices. And yes, it's going to be painful for your kids for 24 hours, right? So add devices back in as you find them. If your router allows you to do it, you can figure out, you know, the few things you've got that are hardwired. But refresh it clean, and make sure everything is updated and patched as you add it back onto your Wi-Fi network.
Dave Bittner: What about some of the things that may not immediately alert you that they're a problem, you know, like you mentioned, your Sub Zero freezer? I'm thinking about your alarm system might not immediately tell you that, hey, I don't have access here. Is that a concern?
Caleb Barlow: Well, if you have life safety devices in your house, like, you know, you should definitely make sure, for example, your alarm system is connected or, you know, if grandma lives with you and has some sort of, you know, alerting mechanism, you definitely want to make sure those things are connected. I would also argue, do you really want those things wirelessly connected? Maybe they should be hardwired, right? But the next thing that you've got to do here is when you rename it - and we've talked about this on the CyberWire before, this is really important - you've got to name it to something not unique, not your address and certainly not your name.
Caleb Barlow: What most people don't realize is that your SSID is mapped. It's mapped by cellular carriers. It's mapped by the trucks that are driving around, you know, doing street mapping because the SSIDs in neighborhoods are used when you can't get a GPS signal to figure out where devices are. And if your SSID was Bittner Net, I could go out and look that up and figure out where in the world it is. And it would tell me where your router is within a few feet.
Caleb Barlow: And don't forget, your devices are broadcasting out your - the SSIDs they connect to all the time. So all I have to do is be near you, and I can figure out what your home Wi-Fi network is. And then I can figure out where you live. And oddly enough, you know, when I consult with law enforcement, this is a great tactic for law enforcement to figure out where a suspect's been traveling, where they connect to because they're broadcasting it out. And all they've got to do is look up those SSIDs and figure out where they are.
Dave Bittner: All right. Well, good advice for sure. Caleb Barlow, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out "Research Saturday" and my conversation with Rob Boyce from Accenture Security. We'll be discussing his joint research with Prevailion titled, "Who Are The Latest Targets Of Cyber Group Lyceum?" That's "Research Saturday." Check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.